A team of researchers from German hacking group Chaos Computer Club (CCC) has discovered several critical vulnerabilities in PC-Wahl—software used to capture, tabulate and transfer the votes from local polling centres to the state level during all parliamentary elections for decades.

According to the CCC analysis, vulnerabilities could lead to multiple practicable attack scenarios that eventually allow malicious agents in the electoral office to change total vote counts.

Critical Flaws Found In German Voting-Software

The hacker collective found that the automatic software update module of PC-Wahl downloads packages over insecure HTTP connection and does not perform any integrity check using digital signatures.

Moreover, the software uses an older encryption method with a single secret key hard-coded in the software, rather than asymmetrical encryption that offers better security by design.

The Software includes an FTP module that sends the voting results to a central password-protected FTP server, but the researchers believe the password for data sharing has been shared among electoral staff.

"The same access data has always been used for various polling stations and constituencies in Hesse for many years so that an attacker has been able to manipulate the results of all municipalities simultaneously and centrally," the research paper [PDF] (translated) reads.

Software Company Denied Vulnerability Report

According to the German Spiegel magazine, the manufacturer of PC-Wahl had denied the allegations that its software was vulnerable to cyber attacks.

The CCC hacking collective has urged the German government and election commission to take necessary actions to tackle the issues in the election software in order to protect the September 24 election that the group fear could be subject to interference.

In response, German Federal Election Director Dieter Sarreither said he was familiar with the issues discovered by the CCC and had asked state officials and the software company to take necessary steps to address them, Reuters reported.

German federal cyber protection agency, BSI, said the agency had worked closely with election officials and the software manufacturer to improve the security of election results.

"In the future, only information technology based on BSI-certified software should be used for election processes," says BSI chief Arne Schoenbohm.

Election hacking has become a major debate following the 2016 US presidential election, where it was reported that Russian hackers managed to access United States voting machines in 39 states in the run-up to the election. However, there is no evidence yet to justify the claims.

But, in countries like America, even hacking electronic voting machines is possible—that too, in a matter of minutes.

Several hackers reportedly managed to hack into multiple United States voting machines in a relatively short period—in some cases within minutes, and in other within a few hours—at Def Con cybersecurity conference held in Las Vegas this week.

Citing the concern of people with the integrity and security of American elections, for the first time, Def Con hosted a "Voting Machine Village" event, where tech-savvy attendees tried to hack some systems and help catch vulnerabilities.

Voting Machine Village provided 30 different pieces of voting equipment used in American elections in a room, which included Sequoia AVC Edge, ES&S iVotronic, AccuVote TSX, WinVote, and Diebold Expresspoll 4000 voting machines.

And what's horrible? The group of attendees reportedly took less than 90 minutes to compromise these voting machines.

Members of the Def Con hacking community managed to take complete control of an e-poll book, an election equipment which is currently in use in dozens of states where voters sign in and receive their ballots.

Other hackers in attendance claimed to have found significant security flaws in the AccuVote TSX, which is currently in use in 19 states, and the Sequoia AVC Edge, used in 13 states.

Another hacker broke into the hardware and firmware of the Diebold TSX voting machine.

Hackers were also able to hack into the WinVote voting machine, which is available on eBay, and have long been removed from use in elections due to its vulnerabilities.

Hackers discovered a remote access vulnerability in WinVote's operating system, which exposed real election data that was still stored in the machine.

Another hacker hacked into the Express-Pollbook system and exposed the internal data structure via a known OpenSSL vulnerability (CVE-2011-4109), allowing anyone to carry out remote attacks.

"Without question, our voting systems are weak and susceptible. Thanks to the contributors of the hacker community today, we’ve uncovered even more about exactly how," said Jake Braun, a cybersecurity expert at the University of Chicago, told Reg media.

"The scary thing is we also know that our foreign adversaries — including Russia, North Korea, Iran — possess the capabilities to hack them too, in the process undermining the principles of democracy and threatening our national security."

Even, Hacking of voting machines is also a major concern in India these days, but the government and election commission has declined to host such event to test the integrity of EVMs (Electronic Voting Machines) used during the country's General and State Elections.

BREAKING: A misconfigured database has resulted in the exposure of around 191 Million voter records including voters' full names, their home addresses, unique voter IDs, date of births and phone numbers.

The database was discovered on December 20th by Chris Vickery, a white hat hacker, who was able to access over 191 Million Americans’ personal identifying information (PII) that are just sitting in the public to be found by anyone looking for it.

Vickery is the same security researcher who uncovered personal details of 13 Million MacKeeper users two weeks ago, which included names, email addresses, usernames, password hashes, IP addresses, phone numbers, and system information.

However, the recent discovery made him shocked when he saw his own information in the database, according to DataBreaches.net, whom the researcher contacted and provided all the details about his finding.

300GB Trove of Voters' Information Leaked

Vickery has his hands on all 300GB of database contains a long list of voter records including:

Full name (first, middle, last)

Residential address

Mailing address

A unique voter ID

State voter ID

Gender

Date of birth

Date of registration

Phone number

Political affiliation

A detailed voting history since 2000

Fields for voter prediction scores

Not just his own, but Vickery also looked up a number of police officers in his city and confirmed the information was all correct. Reporters from CSO and DataBreaches.net also did the same and upheld the accuracy as well.

Fortunately, the database doesn't contain Social Security Numbers, driver license numbers, or any financial data, but it's still a massive amount of data when it comes to protecting users privacy and security.

What's even more Shocking?

The crazy part of the data breach is no one is taking responsibility for the exposed database.

Vickery, CSO and DataBreaches.net contacted various political tech groups and known voter information companies, but all denied the database belonged to them.

The FBI and Internet Crime Complaint Center were all approached by Vickery and DataBreaches.net; so let’s now see how long this information remains alive and accessible for anyone to see.